Stealing a Webcam

Monday, June 17, 2013 @ 07:06 PM gHale

Once thought fixed, an Adobe clickjacking issue in the online Adobe Flash Player Settings Manager can still end up leveraged with some web browsers to allow access to a user’s webcam and microphone.

While an exploit a researcher developed is not totally stable yet, the exploit appears to work properly on the Mac version of Chrome, Chromium on Linux, and possibly other configurations, said security researcher Egor Homakov.

Adobe Fills Hole in Flash, AIR
Adobe in Patch Mode
PDF Hole Used in APT Attacks
Reader PDF Tracking Bug

The proof-of-concept developed by Homakov shows a slideshow of pictures of girls. In the middle of the screen, there’s a play button.

When the play button ends up pressed, the user is actually allowing access to his/her webcam. The Flash permissions window ends up in an invisible layer with the “Allow” button right under the play button.

If you run the proof on concept from Chrome on Mac, once you press the button, your webcam ends up activated and it snaps a picture. Homakov’s exploit doesn’t store the pictures, but cyber criminals would probably store the information on their own servers.

Leave a Reply

You must be logged in to post a comment.